Access Keys:
Skip to content (Access Key - 0)
Home (Access Key - 1)
All spaces... (Access Key - 3)
Log in (Access Key - 5)
Sign up (Access Key - 6)
Toggle Sidebar

builder-header macro
(None)

this is a post to guage the usefulness of this proposed mmacro...

the idea is for the content of this macro to be added to the header section of the html document ... knida like the before html end, but macro based, eg:

{builder-header}
 {style}
  .whatever{display;none}
 {style}
 {builder-javascript}
   alert("none");
 {builder-javascript}
{builder-header}

whch would cause the contained macros to be included within the html header of thedocument being displayed ... this macro would be trivial to implement, but is it useful?
Toggle Sidebar
Extras
Favourite stuff:
Related Communities
Added by Alain Moran on Feb 14, 2008 02:59, last edited by Alain Moran on Feb 14, 2008 03:01
Comments  Hide Comments
Guy Fraser
Feb 19, 2008 01:03


Updated by Guy Fraser
Jul 03, 2008 16:17

This is related to [NEXTGENCODER:API for macros (ponder)] - it might be worth having something that parses the HTML from the action and grabs style sheets and puts them in to more suitable locations.

Having a builder-header macro would allow people to come up with all sorts of new ways for adding XSS exploits - eg. they could do something like:

{builder-header}
{builder-javascript}
</script>
do nasty stuff here
<script>
{builder-javascript}

While it might sound easy to just strip the script tag, I've seen some utterly devious ways of getting around such checks (to the point where even lengthy regexes can't be complex enough to prevent the hack).

If we had an API, especially if we could develop it in cooperation with Atlassian, for plugins to say "i need to output this style sheet because I'm used on this page" and have the API responsible for outputting the style tag, etc., in the relevant place.
Alain Moran
Feb 19, 2008 11:48

WebRsourceManager.getResources() - confluence 2.8

Adaptavist Theme Builder Powered by Atlassian Confluence